On 02/14/2013 09:05 AM, Simo Sorce wrote:
So as I proposed we can call ipa user-add from LDAP from a
non-transactional pre-op plugin. We just need to be careful about when
we allow that to avoid loops, but besides that problem it seem
relatively easy and does not require crazy things like playgrounds or
even full LDAP proxies.
I think I need a clarification because perhaps I didn't fully understand
Is the idea with a non-transactional pre-op plugin it invokes user-add
and then the pre-op returns *without* having modified ldap? In effect it
acts as a trigger?
That still implies there has to be a separate tree where the foreign
entity writes (and the pre-op plugin watches) because otherwise how
could the pre-op plugin distinguish between framework writes and foreign
If there is a separate tree where is the looping issue? You still
haven't explained this.
Also, under the scenario that a foreign entity writes something into
LDAP (somewhere) and it triggers us to call user-add via some mechanism
then what happens when errors occur? The foreign entity will not know we
rejected the operation nor why.
Also, don't forget they want to delete users, remove group membership,
add group membership, add groups, remove groups etc. Some of these
operations are dependent upon logic in our framework. I don't see how
some of these operations can be reliably managed by a foreign entity
simultaneously performing LDAP operations.
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
Freeipa-devel mailing list